Featuring 36 Papers as of December 5, 2016
A Black-Box Approach to Embedded Systems Vulnerability Assessment by Michael Horkan - December 5, 2016
Vulnerability assessment of embedded systems is becoming more important due to security needs of the ICS/SCADA environment as well as the emergence of the Internet of Things (IoT). Often, these assessments are left to test engineers without intimate knowledge of the device's design, no access to firmware source or tools to debug the device while testing. This gold paper will describe a test lab black-box approach to evaluating an embedded device's security profile and possible vulnerabilities. Open-source tools such as Burp Suite and python scripts based on the Sulley Fuzzing Framework will be employed and described. The health status of the device under test will be monitored remotely over a network connection. I include a discussion of an IoT test platform, implemented for Raspberry Pi, and how to approach the evaluation of IoT using this device as an example.
Ransomware by Susan Bradley - October 3, 2016
On a daily basis, a file gets clicked. An email attachment gets opened. A website gets browsed. Seemingly normal actions in every office, on every personal computer, can suddenly become a ransomware incident if the file or attachment or banner ad was intended to infect a system and all files that the user had access to by ransomware. What was once a rare occurrence, now impacts networks ranging from small businesses to large companies to governments.
Filling the Gaps by Robert Smith - August 18, 2016
There should be an emphasis on the importance of regular internal and external auditing focusing on the business mentality of "It can't happen to me" and mitigating the risk of complacency. The key areas covered will be cementing assessments and audits as a benefit versus a reactive or troublesome activity. The cost savings from regular auditing against the alternatives such as breaches and poor publicity. The world is full of technical and administrative compliance requirements, understanding where gaps are present is not something to be afraid of, but to readily embrace and act upon those deficiencies. Thinking that you are compliant and knowing you are compliant can make a large difference in business longevity and profitability.
Realistic Risk Management Using the CIS 20 Security Controls Masters
by Andrew Baze - August 1, 2016
Does your organization spend an inordinate amount of time “managing” risk, when the current state of security is known to be poor, with far too few resources available to deal with the top issues?
How to Target Critical Infrastructure: The Adversary Return on Investment from an Industrial Control System Masters
by Matthew Hosburgh - July 12, 2016
Imagine a device that could decrypt all encryption—within seconds. A box with this capability could be one of the most valuable pieces of equipment for an organization, but even more valuable to an adversary. What if that box only worked against American encryption? If true, a particular market would be ripe for the harvest. A device that powerful could be used to decrypt secrets and data in transit, making encrypted data an adversary might have access to, extremely valuable. Similarly, Critical Infrastructure is a target for some because of the yield that a successful attack could result in. Death, disruption or damage is a real possibility. The Return on Investment (ROI) and Return on Security Investment (ROSI) fall short in actually determining the level of protection required for an organization striving to protect the most sensitive data or system. The Adversary Return on Investment (AROI) is the missing piece to the equation. From the adversary’s vantage point, data, infrastructure or systems have value. By understanding this value an organization can more appropriately align its security strategy; especially, for the most critical infrastructure.
Extending your Business Network through a Virtual Private Network (VPN) Masters
by Kaleb Fornero - May 17, 2016
It’s safe to assume that most individuals reading this paper have leveraged a Virtual Private Network (VPN) at some point in their life, many on a daily basis.
Quantifying Risk: Closing the Chasm Between Cybersecurity and Cyber Insurance Analyst Paper
by Barbara Filkins - February 25, 2016
- Sponsored By: PivotPoint Risk Analytics
Sponsored by PivotPoint Risk Analytics, in conjunction with Advisen.
Crossing the line: Joining forces with your customers by Jules Vandalon - February 24, 2016
Anyone who starts in the field of information security quickly gets familiar with setting up a secure architecture, setting up defense mechanisms and much more.
Applying Data Analytics on Vulnerability Data by Yogesh Dhinwa - December 23, 2015
An organization with services spread across the globe depends on information technology and information systems. Adoption and compliance of information security standards have become mandatory for many organizations, especially those working under government regulations.
Framework for Innovative Security Decisions by Ergash Karshiev - November 3, 2015
Remember the Periodic Table of chemical elements (Dayah, Dynamic Periodic Table, 1997)? It revolutionized chemistry and continues serving scientists daily. TRIZ is a similar resource for inventors and decision-makers.
eAUDIT: Designing a generic tool to review entitlements Masters
by Francois Begin - June 22, 2015
In a perfect world, identity and access management would be handled in a fully automated way.
Is It Patched Or Is It Not? by Jason Simsay - April 23, 2015
Patch management tools may produce conflicting results.
Breaches Happen: Be Prepared Analyst Paper
by Stephen Northcutt - October 14, 2014
A whitepaper by SANS Analyst and Senior Instructor Stephen Northcutt. It describes how improved malware reporting and gateway monitoring, combined with security intelligence from both internal and external resources, helps organizations meet the requirements of frameworks such as the Critical Security Controls.
Risk, Loss and Security Spending in the Financial Sector: A SANS Survey Analyst Paper
by Mark Hardy - March 26, 2014
- Associated Webcasts: Risks, Threats and Preparedness: Part I of the SANS Financial Services Survey
- Sponsored By: ForeScout Technologies Cisco Systems Inc. Tenable Network Security Blue Coat Systems, Inc. Raytheon | Websense FireEye
Survey identified key areas in which financial service employees and endpoints were most at risk, with direct losses resulting from internal abuse, spearphishing and botnet infections.
How to Win Friends and Remediate Vulnerabilities by Chad Butler - March 20, 2014
In today's era of rapid release development projects, finding vulnerabilities is not difficult.
Network and Endpoint Security "Get Hitched" for Better Visibility and Response Analyst Paper
by Jerry Shenk - July 10, 2013
- Associated Webcasts: Network and Endpoint Security "Get Hitched" for Better Visibility and Response
- Sponsored By: Carbon Black
How endpoint visibility, coordinated with network intelligence, can help identify threats not discovered by other means, determine the level of threat, recognize previously unknown threats and follow up with more accurate information for regulators and investigators.
SANS 2013 Critical Security Controls Survey: Moving From Awareness to Action Analyst Paper
by John Pescatore - June 25, 2013
Survey to determine how well the CSCs are known in government and private industry, how they are being used and what can we learn from CSC implementations to date.
Reducing Risk Through Prevention: Implementing Critical Security Controls 1-4 Analyst Paper
by James Tarala - June 12, 2013
- Associated Webcasts: Leveraging the First Four Critical Security Controls for Holistic Improvements
- Sponsored By: Tripwire, Inc.
Examination of actual threats facing organizations today, methods dedicated attackers use to compromise systems using the “intrusion kill chain” as a model and specific defenses organizations can use to mitigate threat.
Implementing the Critical Security Controls Analyst Paper
by Jim Hietala - March 26, 2013
- Associated Webcasts: Secure Configuration in Action (and How to Apply It)
- Sponsored By: Tripwire, Inc.
This paper serves as a how-to for organizations in various stages of implementing the controls with real-world examples of CSC adoption.
Secure Configuration Management Demystified Analyst Paper
by Dave Shackleford - August 2, 2012
- Sponsored By: Tripwire, Inc.
Paper shows how to use secure configuration concepts to reduce the overall attack surface, bring better coordination among groups within IT and elsewhere, and ultimately reduce the risk to your business by continuously improving the IT environment.
Streamline Risk Management by Automating the SANS 20 Critical Security Controls Analyst Paper
by James Tarala - June 12, 2012
- Sponsored By: FireEye
Practical considerations for automating the 20 Critical Security Controls to create a more defensible network against these increasingly automated, persistent attacks.
Risk Assessment of Social Media by Robert Shullich - May 16, 2012
According to a September 2011 survey, 63% respondents indicated “that employee use of social media puts their organization’s security at risk" while 29% "say they have the necessary security controls in place to mitigate or reduce the risk" (Ponemon Institute, 2011).
Reducing Federal Systems Risk with the SANS 20 Critical Controls Analyst Paper
by G. Mark Hardy - April 22, 2012
The 20CSCs: are they a better approach than the ten-year-old FISMA? And how will adoption ultimately enhance security and operations overall?
A Preamble Into Aligning Systems Engineering and Information Security Risk Masters
by Craig Wright - February 20, 2012
This paper presents and extends the major statistical methods used in risk measurement and audit, and extends into other processes that are used within systems engineering (Elliott, Jeanblanc, & Yor, 2000).
Rationally Opting for the Insecure Alternative: Negative Externalities and the Selection of Security Controls Masters
by Craig Wright - September 19, 2011
Absolute security does not exist and nor can it be achieved. The statement that a computer is either secure or not is logically falsifiable (Peisert & Bishop, 2007), all systems exhibit a level of insecurity.
Continuous Monitoring: What It Is, Why It Is Needed, and How to Use It Analyst Paper
by E. Eugene Schultz, Ph.D. - June 17, 2011
- Sponsored By: Tripwire, Inc.
A review of continuous monitoring as defined by the NIST 800-137 guidelines.
Implementing the 20 Critical Controls with Security Information and Event Management (SIEM) Systems Analyst Paper
by James Tarala - April 5, 2011
- Sponsored By: ArcSight, an HP Company
This paper examines the top 20 controls, with advice on how to get started and an explanation of how SIEM systems can provide a central role in implementing the 20 critical controls effectively.
Measuring Psychological Variables of Control In Information Security by Josh More - January 12, 2011
“Perceived Control” is a core construct used in the psychology field that can be considered an aspect of empowerment (Eklund, & Backstrom, 2006). Effectively, it is a measure of how much control people feel that they have, as opposed to the amount of “Actual Control” that they may have. It is often paired against constructs such as “Vicarious Control” and “Vicarious Perceived Control”, which measure the amount of control that outside entities have over the subject. Often, these are variables measured in the psychology/health field. For example, in the world of medicine, when patients report a lack of perceived control over controllable illnesses such as diabetes (Helgeson, & Franzen, 1997), breast cancer (Helgeson, 1992) and heart disease (Helgeson, 1992), they often do more poorly than patients who feel that they have a greater sense of control over their illness. There is also evidence that students with high perceived control do substantially better academically than those with low, though this seems to also link with emotions surrounding the tasks at hand (Ruthig, Perry, Hladkyj, Hall, & Pekrun, 2008). In short, people who are interested in and excited by what they are doing tend to perform better.
Reducing Organizational Risk Through Virtual Patching Masters
by Joseph Faust - January 11, 2011
Software patching for IT Departments across the organizational landscape has always been an integral part of maintaining functional, usable and stable software. Historically the traditional patch cycle has been focused on fixing or resolving issues which affect functionality. In recent years, with the advancement of more sophisticated and targeted threats which are occurring in quicker cycles, this focus is dramatically changing. (Risk Assessment – Cisco, n.d.; Executive Office of The United States, 2005) . Corporations and Government now have a greater understanding of potential losses and expenses incurred by not maintaining application security and are moving towards an increased focus on patching and security (Epstein, Grow & Tschang, 2008). With organizations’ reputations, consumer confidence and corporate secrets at risk, corporations and government are recognizing the need to shift and address vulnerabilities at a much faster pace than they historically have done so (Chan, 2004). Over roughly the last ten years, the length of time between the documentation of a given vulnerability in a piece of software and the development of an actual exploit that can take advantage of the weakness in the application, has decreased tremendously. According to Andrew Jaquith, senior analyst at Yankee Group, the average time between vulnerability discovery and the release of exploit code is less than one week. (“Shrinking time from,” 2006). It has also been identified that “99% of intrusions result from exploitation of known vulnerabilities or configuration errors where countermeasures were available” ("Risk reduction and.," 2010) . Clearly these statistics alone can prove daunting for many businesses trying to keep pace and maintain proper defenses against the bad guys.
A Question of Platinum Plus by Craig Wright - December 29, 2010
The fallacy of the black swan in risk has come full circle in information systems. Just as the deductive fallacy, “a dicto secundum quid ad dictum simpliciter2” allowed false assertions that black swans could not exist when they do, we see assertions that risk cannot be modeled without knowing all of the „black swans‟ that can exist. The falsity of the black swan argument derives from a deductive statement that “every swan I have seen is white, so it must be true that all swans are white”. The problem is that which one has seen is a subset of the entire set. One cannot have seen all swans.
Real-Time Adaptive Security Analyst Paper
by Dave Shackleford - December 17, 2008
- Sponsored By: Cisco Systems Inc.
With security actions based on context, intrusion systems can adapt to real-time threats like these while giving visibility into what to investigate, where to investigate, and even take or recommend action based on preset rules.
Monitoring Security and Performance on Converged Traffic Networks Analyst Paper
by Dave Shackleford - April 23, 2008
- Sponsored By: NIKSUN
For security teams to be effective within today’s converged networks, network performance and security monitoring need to converge as well.
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact firstname.lastname@example.org.
All papers are copyrighted. No re-posting or distribution of papers is permitted.